The intelligence division at the Treasury Department has repeatedly and systematically violated domestic surveillance laws by snooping on the private financial records of US citizens and companies, according to government sources.

Over the past year, at least a dozen employees in another branch of the Treasury Department, the Financial Crimes Enforcement Network, have warned officials and Congress that US citizens’ and residents’ banking and financial data has been illegally searched and stored. And the breach, some sources said, extended to other intelligence agencies, such as the National Security Agency, whose officers used the Treasury’s intelligence division as an illegal back door to gain access to American citizens’ financial records. The NSA said that any allegations that it “is operating outside of its authorities and knowingly violating U.S. persons’ privacy and civil liberties is categorically false.”

In response to detailed questions, the Treasury Department at first issued a one-sentence reply stating that its various branches “operate in a manner consistent with applicable legal authorities.” Several hours after this story published, the department issued a more forceful denial: “The BuzzFeed story is flat out wrong. An unsourced suggestion that an office within Treasury is engaged in illegal spying on Americans is unfounded and completely off-base.” It added that “OIA and FinCEN share important information and operate within the bounds of statute.”

Still, the Treasury Department’s Office of the Inspector General said it has launched a review of the issue. Rich Delmar, a lawyer in that office, offered no further comment.

But a senior Treasury official, who is not authorized to speak on the matter so requested anonymity, did not mince words: “This is domestic spying.”

Sources said the spying had been going on under President Barack Obama, but the Donald Trump appointees who now control how the department conducts intelligence operations are Treasury Secretary Steven Mnuchin and Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker.

At issue is the collection and dissemination of information from a vast database of mostly US citizens’ banking and financial records that banks turn over to the government each day. Banks and other financial institutions are required, under the Bank Secrecy Act of 1970, to report suspicious transactions and cash transactions over $10,000. The database is maintained by the Financial Crimes Enforcement Network, or FinCEN, a bank regulator charged with combatting money laundering, terrorist financing, and other financial crimes. Under the law, it has unfettered powers to peruse and retain the data.

In contrast to FinCEN, Treasury’s intelligence division, known as the Office of Intelligence and Analysis, or OIA, is charged with monitoring suspicious financial activity that occurs outside the US. Under a seminal Reagan-era executive order, a line runs through the Treasury Department and all other federal agencies separating law enforcement, which targets domestic crimes, from intelligence agencies, which focus on foreign threats and can surveil US citizens only in limited ways and by following stringent guidelines.

FinCEN officials have accused their counterparts at OIA, an intelligence unit, of violating this separation by illegally collecting and retaining domestic financial information from the banking database. Some sources have also charged that OIA analysts have, in a further legal breach, been calling up financial institutions to make inquiries about individual bank accounts and transactions involving US citizens. Sources said the banks have complied with the requests because they are under the impression they are giving the information to FinCEN, which they are required to do.

One source recalled an instance from 2016 in which OIA personnel, inserting themselves into a domestic money-laundering case, sought information from a Delaware financial institution. In other cases, according to a second source, FinCEN gave OIA reports with the names of US citizens and companies blacked out. OIA obtained those names by calling the banks, then used those names to search the banking database for more information on those American citizens and firms.

Sources also claimed that OIA has opened a back door to officers from other intelligence agencies throughout the government, including the the CIA and the Defense Intelligence Agency. Officials from those agencies have been coming to work at OIA for short periods of time, sometimes for as little as a week, and thereby getting unrestricted access to information on US citizens that they otherwise could not collect without strict oversight.

“This is such an invasion of privacy,” said another Treasury Department official, who, lacking authorization to speak on the matter, asked not to be named. This person predicted that banks “would lose their minds” if they knew that their customers’ records were being used by government intelligence officers who did not have the legal authority to do so.

The Defense Intelligence Agency did not respond to a request for comment. CIA spokesman Dean Boyd said, “Suggestions that the Agency may be improperly collecting and retaining US persons data through the mechanisms you described are completely inaccurate.”

Sources claimed the unauthorized inspection and possession of Americans’ financial data have been going on for years but only became controversial in 2016, when officials at FinCEN learned about it and began objecting. Early last year, Treasury’s Office of Terrorism and Financial Intelligence, which oversees OIA, proposed transferring much of FinCEN’s work to OIA.

In a bureaucratic turf war, FinCEN officials objected to the proposal, which would have shifted numerous employees and a portion of FinCEN’s budget to OIA. They said the move was illegal without prior approval from Congress.

And they claimed that OIA, because it is part of the US intelligence community, could not legally collect information on US citizens and residents unless it complied with a landmark executive order known as 12333. Signed by President Ronald Reagan and later revised and reissued by President George W. Bush, this order sets the rules for how intelligence agencies can operate. Before any agency can collect, retain, and disseminate intelligence on American citizens, that agency must establish privacy guidelines, and those guidelines, in turn, must be approved by the attorney general after consulting with the director of national intelligence. OIA, which was established in 2004, has never completed this process. Even so, it must follow rules designed to protect the civil rights and privacy of American citizens.

The Office of the Director of National Intelligence and the attorney general declined to comment.

Also, sources said, under an agreement between the two branches of Treasury, OIA is allowed to access FinCEN’s banking database for specific foreign intelligence purposes. But, these sources said, OIA has been going far beyond those limits, flouting both this agreement and the executive order.

Last summer, FinCEN officials asked to review OIA’s guidelines required under the executive order. Instead of being given the guidelines, sources said, they were removed from an email chain about the issue.

In September, a high-ranking attorney for the Treasury Department, Paul Ahern, got into a heated exchange at a meeting with at least a half-dozen FinCEN employees. He told them that OIA had the authority to access and use the data because it had preliminary, draft guidelines, according to people with knowledge of the meeting. In fact, more than a month would pass before the guidelines were written, according to a first draft reviewed by BuzzFeed News. To this day, the guidelines have not been finalized.

Ahern, sources said, also informed FinCEN officials that OIA had already been collecting information on US citizens. Many FinCEN officials were aghast because they believed that was illegal.

A Treasury Department spokesperson declined to make Ahern available for comment, and referred back to the department’s statement that all its offices act “in a manner consistent with applicable legal authorities.” The former head of OIA, S. Leslie Ireland, who resigned last year, did not respond to a request for comment. This month, she was named to the board of directors of banking giant Citigroup. The company declined comment.

Some FinCEN officials said they were instructed not to speak to Congress about their domestic spying concerns and other issues. They did anyway.

In October of 2016, Rep. Sean Duffy, the chairman of the House Subcommittee on Oversight and Investigations, sent a letter to then-Treasury Secretary Jacob Lew asking for OIA’s legal authority to collect and retain domestic information.

Nearly one year later, the Congressman has yet to receive an answer, according to a committee staffer.

Officials at FinCEN said that after they began raising alarms, OIA began shutting them off from classified networks. That lack of access, which BuzzFeed News reported last week, meant FinCEN officials were unable to fully respond to law enforcement agencies during several live terrorist attacks over the last year. It also prevented FinCEN from fully complying with the Senate investigation into possible collusion between Donald Trump’s campaign and Russia.